Eight days after a critical security flaw in Internet Explorer was publicised on a Chinese website, Microsoft is still working on trying to fix the world’s most widely used internet browser – and the bad guys are having a field day.
When news of the vulnerability was still only three days old, according to Microsoft’s researchers, there was already a spate of malware written to take advantage of it:
The exploit sites we’ve seen so far drop a wide variety of malware– most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack. We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground.
Two days later, Microsoft was warning that as many as 2m computers were already potentially infected by the password-stealers and other assorted bad stuff (assuming that there are some 1bn PCs in use around the world):
Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50% in the number of reports today compared to yesterday.
Three days on, and Microsoft is no longer prepared to talk about the effects of this nasty, rapidly-spreading problem. Instead, it is in heavy damage-limitation mode.
Teams of developers have been working tirelessly around the clock and a fix for the flaw will be released on Wednesday morning (West Coast time), a spokesman says. Computer users are fine as long as they follow the company’s security advisory – no need to switch to another browser just to be safe, he insists.
But even the Microsoft advisory didn’t do the trick, because the company had to revise the statement to make things “clearer” for computer users who were concerned enough to try to protect themselves. How clear, though, will this be to 1bn computer users around the world?
The recommendation that we made yesterday still holds: evaluate applying a combination of workarounds that both sets the Internet Explorer security settings to High and blocks access to OLEDB32.dll.
Got that?
